1Hw6Fuhhq&Rqfhsw ( (Dpsohv

1HW6FUHHQ &RQFHSW
([DPSOHV
6FUHHQ26 5HIHUHQFH *XLGH

9ROXPH '\QDPLF 5RXWLQJ
6FUHHQ26 31 5HY )
&RS\ULJKW 1RWLFH
NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 94085 U.S.A. www.netscreen.com
energy. If it is not installed in accordance with NetScreens installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
)&& 6WDWHPHQW
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency
'LVFODLPHU
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.
&RQWHQWV
&RQWHQWV
3UHIDFH Y
&RQYHQWLRQV YL
:HE8, 1DYLJDWLRQ &RQYHQWLRQV YL ([DPSOH 2EMHFWV ! $GGUHVVHV ! /LVW ! 1HZ YL &/, &RQYHQWLRQVYLL 'HSHQGHQF\ 'HOLPLWHUVYLL 1HVWHG 'HSHQGHQFLHV YLL $YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV YLLL
%DVLF 263) &RQILJXUDWLRQ 7DVNV

(QDEOLQJ 263) ,QVWDQFHV DW WKH 9LUWXDO 5RXWHU /HYHO ([DPSOH 6WDUWLQJ DQ 263) ,QVWDQFH 5HPRYLQJ DQ 263) 9LUWXDO 5RXWLQJ ,QVWDQFH ([DPSOH 'LVDEOLQJ 263) &UHDWLQJ 263) $UHDV ([DPSOH &UHDWH DQ 263) $UHD $VVLJQLQJ ,QWHUIDFHV WR $UHDV ([DPSOH $VVLJQLQJ DQ ,QWHUIDFH WR DQ 263) $UHD 5HGLVWULEXWLQJ 5RXWHV ([DPSOH 5HGLVWULEXWLQJ D %*3 5RXWH LQWR 263)
1HW6FUHHQ 'RFXPHQWDWLRQ L[
&KDSWHU 263) 7DVN 5HIHUHQFH

2YHUYLHZ RI 263)
$UHDV 5RXWHU &ODVVLILFDWLRQ +HOOR 3URWRFRO 1HWZRUN 7\SHV %URDGFDVW 1HWZRUNV 1RQ%URDGFDVW 1HWZRUNV 3RLQWWR3RLQW 1HWZRUNV /LQN 6WDWH $GYHUWLVHPHQWV 263) RQ 1HW6FUHHQ 'HYLFHV 263) 6XSSRUW RQ 931 7XQQHOV 263) $XWKHQWLFDWLRQ 263) ,QWHUIDFH &KDUDFWHULVWLFV
263) ,QWHUIDFH &RQILJXUDWLRQ

'LVSOD\LQJ 263) ,QWHUIDFH 'HWDLOV ([DPSOH 'LVSOD\LQJ 263) ,QWHUIDFH ,QIRUPDWLRQ 6HWWLQJ D &OHDU7H[W 3DVVZRUG RQ DQ ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH &OHDU7H[W 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG 6HWWLQJ DQ 0' 3DVVZRUG RQ DQ ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 0' 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG 6HWWLQJ D &RVW 9DOXH IRU DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH &RVW IRU DQ 263) ,QWHUIDFH 6HWWLQJ D 'HDG ,QWHUYDO IRU DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 'HDG ,QWHUYDO 6HWWLQJ D +HOOR ,QWHUYDO IRU DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH +HOOR ,QWHUYDO
263) &RPPDQGV
263) &RQWH[W ,QLWLDWLRQ
1HW6FUHHQ &RQFHSWV
([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ
&RQWHQWV 6HWWLQJ D 1HLJKERU /LVW IRU DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ D 1HLJKERU /LVW 6HWWLQJ D 5HWUDQVPLW ,QWHUYDO IRU DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 5HWUDQVPLW ,QWHUYDO 6HWWLQJ D 3ULRULW\ 9DOXH RQ DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 3ULRULW\ 9DOXH 6HWWLQJ D 7UDQVLW 'HOD\ 9DOXH RQ DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 7UDQVLW 'HOD\
263) ,QIRUPDWLRQ

'LVSOD\LQJ 6WDWLVWLFV IRU DQ 263) 5RXWLQJ ,QVWDQFH ([DPSOH 'LVSOD\LQJ 263) 6WDWLVWLFV 'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWLRQ &RQGLWLRQV ([DPSOH 'LVSOD\LQJ 5HGLVWULEXWLRQ &RQGLWLRQV 'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWHG 5RXWHV ([DPSOH 'LVSOD\LQJ 5HGLVWULEXWHG 5RXWHV 'HWDLOV 'LVSOD\LQJ 2EMHFWV LQ WKH 263) 'DWDEDVH ([DPSOH 'LVSOD\LQJ 263) 'DWDEDVH 2EMHFWV 'LVSOD\LQJ 6WXE 'HWDLOV ([DPSOH 'LVSOD\LQJ 6WXE $UHD 'HWDLOV 'LVSOD\LQJ 263) &RQILJXUDWLRQ ([DPSOH /LVW 263) &RQILJXUDWLRQ &RPPDQGV
263) 9LUWXDO /LQN &RQILJXUDWLRQ

&UHDWLQJ D 9LUWXDO /LQN ([DPSOH &UHDWLQJ D 9LUWXDO /LQN WR WKH %DFNERQH $UHD $XWRPDWLFDOO\ &UHDWLQJ D 9LUWXDO /LQN ([DPSOH &UHDWLQJ DQ $XWRPDWLF 9LUWXDO /LQN &UHDWLQJ D 0HVVDJH 'LJHVW IRU D 9LUWXDO /LQN ([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK 0' $XWKHQWLFDWLRQ &RQILJXULQJ D &OHDU7H[W 3DVVZRUG IRU D 9LUWXDO /LQN ([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK &OHDU7H[W 3DVVZRUG &UHDWLQJ D 'HDG ,QWHUYDO IRU D 9LUWXDO /LQN 1HLJKERU ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 1HLJKERU 'HDG ,QWHUYDO &UHDWLQJ D +HOOR ,QWHUYDO IRU D 9LUWXDO /LQN ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN +HOOR ,QWHUYDO &RQILJXULQJ D 5HWUDQVPLW ,QWHUYDO IRU D 9LUWXDO /LQN ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 5HWUDQVPLW ,QWHUYDO &RQILJXULQJ D 7UDQVLW 'HOD\ 9DOXH IRU D 9LUWXDO /LQN ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 7UDQVLW 'HOD\
2WKHU 263) &RQILJXUDWLRQ

%LQGLQJ 263) WR D 7XQQHO ,QWHUIDFH ([DPSOH %LQGLQJ D 7XQQHO WR DQ 263) 5RXWLQJ ,QVWDQFH $QQRXQFLQJ D 'HIDXOW 5RXWH LQ $OO $UHDV ([DPSOH $GYHUWLVLQJ WKH 'HIDXOW 5RXWH &RQILJXULQJ 6XPPDU\ 5RXWHV ([DPSOH 6XPPDUL]LQJ 5HGLVWULEXWHG 5RXWHV 5HPRYLQJ D 'HIDXOW 5RXWH ([DPSOH 5HPRYLQJ WKH 'HIDXOW 5RXWH IURP WKH 5RXWH 7DEOH 6HWWLQJ DQ $UHD 5DQJH ([DPSOH &RQILJXULQJ DQ $UHD 5DQJH 6HWWLQJ D +HOOR )ORRG $WWDFN 7KUHVKROG ([DPSOH &RQILJXULQJ WKH +HOOR 7KUHVKROG 6HWWLQJ DQ /6$ 7KUHVKROG ([DPSOH &RQILJXULQJ WKH /6$ 7KUHVKROG
1HW6FUHHQ &RQFHSWV
LL
&RQWHQWV &RQILJXULQJ DQ 5)& (QYLURQPHQW ([DPSOH &KDQJH WR DQ 5)& (QYLURQPHQW ([DPSOH ,JQRULQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV
&KDSWHU %*3 7DVN 5HIHUHQFH

7KH %*3 &RPPDQGV
&RQWH[W ,QLWLDWLRQ %DVLF %*3 &RPPDQG 'HVFULSWLRQV
$GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV

$SSO\LQJ D 5RXWH 0DS WR 5RXWHV IURP 6SHFLILHG 1HLJKERUV ([DPSOH $SSO\LQJ 5RXWH 0DSV $VVLJQLQJ D :HLJKW WR D 3DWK ([DPSOH 6SHFLI\LQJ D :HLJKW 9DOXH 6HWWLQJ DQ $6 3DWK $FFHVV /LVW ([DPSOH &UHDWLQJ DQ (QWU\ LQ WKH $6 3DWK $FFHVV /LVW &RQILJXULQJ D &RPPXQLW\ /LVW ([DPSOH &UHDWLQJ D &RPPXQLW\ /LVW 6HWWLQJ D /RFDO 3UHIHUHQFH ([DPSOH 6HWWLQJ WKH /RFDO 3UHIHUHQFH 6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0(' ([DPSOH 6HWWLQJ D 0(' 6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0(' &RPSDULVRQ ([DPSOH 6HWWLQJ D 0(' &RPSDULVRQ &RQILJXULQJ D 5RXWH 5HIOHFWRU ([DPSOH 'HVLJQDWLQJ D 5RXWH 5HIOHFWRU 6HWWLQJ D 1HLJKERU DV D 5RXWH 5HIOHFWRU &OLHQW ([DPSOH &RQILJXULQJ DQ ,%*3 1HLJKERU &RQILJXULQJ D &RQIHGHUDWLRQ ([DPSOH &UHDWLQJ D &RQIHGHUDWLRQ $GGLQJ DQ $6 0HPEHU WR D &RQIHGHUDWLRQ ([DPSOH $GGLQJ D 1HZ &RQIHGHUDWLRQ
%DVLF %*3 &RQILJXUDWLRQ 7DVNV

&UHDWLQJ D %*3 ,QVWDQFH RI WKH 9LUWXDO 5RXWHU ([DPSOH 6WDUWLQJ D 9LUWXDO 5RXWLQJ ,QVWDQFH 6SHFLI\LQJ 5HDFKDEOH 1HWZRUNV IURP DQ $6 ([DPSOH 0DNLQJ D 1HWZRUN 5HDFKDEOH IURP WKH /RFDO 9LUWXDO 5RXWHU (QDEOLQJ $JJUHJDWH 5RXWHV ([DPSOH 0DNLQJ DQ $JJUHJDWH 5RXWH (QWU\ (QDEOLQJ 5HGLVWULEXWLRQ ([DPSOH &UHDWLQJ D 5HGLVWULEXWLRQ 5XOH &RQILJXULQJ D %*3 1HLJKERU ([DPSOH &RQILJXULQJ WKH 9LUWXDO 5RXWHU IRU D 1HLJKERU (QDEOLQJ D %*3 3HHU ZLWK DQ ,3 $GGUHVV ([DPSOH (QDEOLQJ D %*3 3HHU &RQQHFWLRQ &RQILJXULQJ D +ROG 7LPHU ([DPSOH 6HWWLQJ WKH +ROG7LPH 9DOXH &RQILJXULQJ D .HHSDOLYH 7LPHU ([DPSOH 6HWWLQJ WKH .HHSDOLYH 7LPHU (QDEOLQJ 5RXWH )ODS 'DPSLQJ ([DPSOH (QDEOLQJ )ODS 'DPSLQJ 'LVFDUGLQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV IURP D 3HHU 5RXWHU
,QGH[ ,;,
1HW6FUHHQ &RQFHSWV
LLL
&RQWHQWV
1HW6FUHHQ &RQFHSWV
LY
3UHIDFH
Routing is an essential part of security devices. Without routing, the security devices could not effectively forward secure traffic to desired destinations. Dynamic routing shortens the time between changes in network topology and the forwarding of traffic on the network. Volume 5, Dynamic Routing describes how to configure Open Shortest Path First (OSPF) and Border Gateway (BGP). This volume describes the following: Overview of OSPF, OSPF commands, basic configuration, advanced configuration Overview of BGP, BGP commands, basic configuration, advanced configuration
1HW6FUHHQ &RQFHSWV
&RQYHQWLRQV
&219(17,216
This book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI) and the command line interface (CLI). The conventions used for both are introduced below.
:HE8, 1DYLJDWLRQ &RQYHQWLRQV

Throughout this book, a chevron ( > ) is used to indicate navigation through the WebUI by clicking menu options and links.
([DPSOH 2EMHFWV ! $GGUHVVHV ! /LVW ! 1HZ

To access the new address configuration dialog box, do the following: 1. 2. Click Objects in the menu column. The Objects menu option expands to reveal a subset of options for Objects. (Applet menu) Hover the mouse over Addresses . (DHTML menu) Click Addresses . The Addresses option expands to reveal a subset of options for Addresses. 3. 4. Click List . The address book table appears. Click the New link in the upper right corner. The new address configuration dialog box appears.
1HW6FUHHQ &RQFHSWV
YL
&RQYHQWLRQV
&/, &RQYHQWLRQV
Each CLI command description in this manual reveals some aspect of command syntax. This syntax may include options, switches, parameters, and other features. To illustrate syntax rules, some command descriptions use dependency delimiters. Such delimiters indicate which command features are mandatory, and in which contexts.
'HSHQGHQF\ 'HOLPLWHUV
Each syntax description shows the dependencies between command features by using special characters. The { and } symbols denote a mandatory feature. Features enclosed by these symbols are essential for execution of the command. The [ and ] symbols denote an optional feature. Features enclosed by these symbols are not essential for execution of the command, although omitting such features might adversely affect the outcome. The | symbol denotes an or relationship between two features. When this symbol appears between two features on the same line, you can use either feature (but not both). When this symbol appears at the end of a line, you can use the feature on that line, or the one below it.
1HVWHG 'HSHQGHQFLHV
Many CLI commands have nested dependencies, which make features optional in some contexts, and mandatory in others. The three hypothetical features shown below demonstrate this principle. [ feature_1 { feature_2 | feature_3 } ] The delimiters [ and ] surround the entire clause. Consequently, you can omit feature_1, feature_2, and feature_3, and still execute the command successfully. However, because the { and } delimiters surround feature_2 and feature_3, you must include either feature_2 or feature_3 if you include feature_1. Otherwise, you cannot successfully execute the command. The following example shows some of the feature dependencies of the set interface command. set interface vlan1 broadcast { flood | arp [ trace-route ] }
1HW6FUHHQ &RQFHSWV
YLL
&RQYHQWLRQV
The { and } brackets indicate that specifyng either flood or arp is mandatory. By contrast, the [ and ] brackets indicate that the trace-route option for arp is not mandatory. Thus, the command might take any of the following forms: ns-> set interface vlan1 broadcast flood ns-> set interface vlan1 broadcast arp ns-> set interface vlan1 broadcast arp trace-route
$YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV

As you execute CLI commands using the syntax descriptions in this manual, you may find that certain commands and command features are unavailable for your NetScreen device model. Because NetScreen devices treat unavailable command features as improper syntax, attempting to use such a feature usually generates the unknown keyword error message. When this message appears, confirm the features availability using the ? switch. For example, the following commands list available options for the set vpn command: ns-> set vpn ? ns-> set vpn vpn_name ? ns-> set vpn gateway gate_name ?
1HW6FUHHQ &RQFHSWV
YLLL
1HW6FUHHQ 'RFXPHQWDWLRQ
1(76&5((1 '2&80(17$7,21
To obtain technical documentation for any NetScreen product, visit www.netscreen.com/support/manuals.html. To access the latest NetScreen documentation, see the Current Manuals section. To access archived documentation from previous releases, see the Archived Manuals section. To obtain the latest technical information on a NetScreen product release, see the release notes document for that release. To obtain release notes, visit www.netscreen.com/support and select Software Download. Select the product and version, then click Go. (To perform this download, you must be a registered user.) If you find any errors or omissions in the following content, please contact us at the e-mail address below: techpubs@netscreen.com
1HW6FUHHQ &RQFHSWV
L[
1HW6FUHHQ 'RFXPHQWDWLRQ
1HW6FUHHQ &RQFHSWV
8uhr
263) 7DVN 5HIHUHQFH

Overview of OSPF on page 3 Areas on page 3 Router Classification on page 4 Hello Protocol on page 5 Network Types on page 5 Link State Advertisements on page 7 OSPF on NetScreen Devices on page 8 OSPF Commands on page 10 Basic OSPF Configuration Tasks on page 11 Enabling OSPF Instances at the Virtual Router Level on page 11 Removing an OSPF Virtual Routing Instance on page 12 Creating OSPF Areas on page 13 Assigning Interfaces to Areas on page 14 Redistributing Routes on page 15 OSPF Interface Configuration on page 17 Displaying OSPF Interface Details on page 17 Setting a Clear-Text Password on an Interface on page 18 Setting a Cost Value for an OSPF Interface on page 20 Setting a Dead Interval for an OSPF Interface on page 21 Setting a Hello Interval for an OSPF Interface on page 22
This chapter describes the Open Shortest Path First (OSPF) routing protocol. The following topics are covered:
1HW6FUHHQ &RQFHSWV
Setting a Neighbor List for an OSPF Interface on page 23 Setting a Retransmit Interval for an OSPF Interface on page 24 Setting a Priority Value on an OSPF Interface on page 25 Setting a Transit Delay Value on an OSPF Interface on page 26 OSPF Virtual Link Configuration on page 27 Creating a Virtual Link on page 27 Automatically Creating a Virtual Link on page 28 Creating a Message Digest for a Virtual Link on page 29 Configuring a Clear-Text Password for a Virtual Link on page 30 Creating a Dead Interval for a Virtual Link Neighbor on page 31 Configuring a Retransmit Interval for a Virtual Link on page 33 Configuring a Transit Delay Value for a Virtual Link on page 34 OSPF Information on page 35 Displaying Statistics for an OSPF Routing Instance on page 35 Displaying Details about Redistribution Conditions on page 37 Displaying Details about Redistributed Routes on page 38 Displaying Objects in the OSPF Database on page 39 Displaying Stub Details on page 40 Displaying OSPF Configuration on page 41 Other OSPF Configuration on page 42 Binding OSPF to a Tunnel Interface on page 42 Announcing a Default Route in All Areas on page 43 Configuring Summary Routes on page 44 Removing a Default Route on page 46 Setting an Area Range on page 47 Setting a Hello Flood Attack Threshold on page 48 Setting an LSA Threshold on page 49 Configuring an RFC-1583 Environment on page 50
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
29(59,(: 2) 263)
The Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) intended to operating within a single Autonomous System (AS). A router running OSPF distributes its state information (i.e, usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs) throughout the AS. Each OSPF router uses LSAs from neighboring routers to maintain a link-state database. The link-state database is a listing of topology and state information for the surrounding networks. The constant distribution of LSAs throughout the As enables all routers in an AS to maintain an identical link-state database. OSPF uses the link-state database to determine the best path to any network within the AS. This is done by generating a shortest-path tree, which is a graphical representation of the shortest path to any network within the AS. While all routers have the same link state database, they all have unique shortest-path trees because routers always generate the tree with themselves at the top (root) of the tree. More information on LSAs, link-state databases, and areas are covered later in this chapter.
$UHDV
OSPF allows networks to be grouped together logically or geographically by the use of areas. Areas also reduce the amount of routing information passed throughout the network because a router only maintains a link-state database for the area it resides in. No link-state information is maintained for networks/routers outside the local area. By default all routers are grouped into a single backbone area called area 0 (usually denoted as area 0.0.0.0). However, large geographically dispersed networks are typically segmented into multiple areas. This is because as networks grow, link-state databases grow and dividing the link-state database into smaller groups allows for better scalability. It is important to note that all areas must be directly connected to area 0, with only one exception to be covered later.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
A router that is placed between two areas is called an area border router and because all areas must be directly connected to area 0, any area outside of the backbone area is called a stub area. There are two common types of stub areas used in OSPF, both with their own characteristics: Stub area - An area that receives route summaries from the backbone area but does not receive link-state advertisements from other areas for routes learned through non-OSPF sources (i.e. BGP). A stub area can be considered a Totally Stubby Area if no summary routes are allowed in the stub area. Not So Stubby Area (NSSA) - Like a normal stub area, NSSAs cannot receive routes from non-OSPF sources outside the current area. However, external routes learned within the area can be learned and passed to other areas.
Areas are configured at the VR level first, then interfaces can be configured to reside in areas defined at the VR level.
5RXWHU &ODVVLILFDWLRQ
Routers that participate in OSPF routing are classified according to their function or location in the network: Internal Router - A router with all interfaces belonging to the same area. Backbone Router - A router that has an interface in the backbone area. Area Border Router - When an OSPF area borders another area, the router between the two areas is called an area border router. An area border router (ABR) is a router that has interfaces in multiple areas, one of which is the backbone area. An ABR summarizes the routes from the non-backbone area for distribution back to area 0. If a second area is created within ScreenOS, the device functions as an ABR. AS Boundary Router - When an OSPF area borders another AS, the router between the two autonomous systems is called an autonomous system boundary router (ASBR). An ASBR is responsible for advertising external AS routing information throughout an AS.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
+HOOR 3URWRFRO
Two routers with interfaces on the same subnet are considered neighbors. Routers use the hello protocol to establish and maintain these neighbor relationships. When two routers establish bidirectional communication, they are said to have established an adjacency. If two routers do not establish an adjacency, they cannot exchange routing information. In cases were there are multiple routers on a network, it is necessary to establish one router as the designated router (DR) and another as the backup designated router (BDR). The designated router is solely responsible for flooding the network with LSAs containing a list of all OSPF-enabled routers attached to the network. The DR is considered the most important router in an OSPF network because it is the only router that can form adjacencies with other routers on the network. Therefore, the DR is the only router on a network that can provide routing information to other routers. It is this type of hierarchy that enables OSPF to scale while minimizing network chatter. The BDR is responsible for becoming the designated router if the DR should fail.
1HWZRUN 7\SHV
ScreenOS supports the following network types: Broadcast Networks Non-Broadcast Networks Point-to-Point Networks
%URDGFDVW 1HWZRUNV
A broadcast network is a network that connects many routers together and can send, or broadcast, a single physical message to all the attached routers. Pairs of routers on a broadcast network are assumed to be able to communicate with each other. Ethernet is an example of a broadcast network. On broadcast networks, the OSPF router dynamically detects its neighbor routers by sending Hello packets to the multicast address 224.0.0.5. For broadcast networks, the Hello protocol elects a Designated Router and Backup Designated Router for the network.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
1RQ%URDGFDVW 1HWZRUNV
A non-broadcast network is a network that connects many routers together but cannot broadcast messages to attached routers. On non-broadcast networks, OSPF protocol packets that are normally multicast need to be sent to each neighboring router. On non-broadcast networks, OSPF runs in one of two modes: Non-broadcast multi-access (NBMA) simulates OSPF operation on a broadcast network Point-to-multipoint considers the network to be a collection of point-to-point networks
On non-broadcast networks, you will need to enter configuration information in order for the OSPF router to discover its neighbors. For NBMA networks, the Hello protocol elects a Designated Router and Backup Designated Router for the network.
3RLQWWR3RLQW 1HWZRUNV
A point-to-point network typically joins two routers over a Wide Area Network (WAN). An example of a point-to-point network is two routers connected by a 56Kb serial line. On point-to-point networks, the OSPF router dynamically detects neighbor routers by sending Hello packets to the multicast address 224.0.0.5.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
/LQN 6WDWH $GYHUWLVHPHQWV

Each OSPF router sends out LSAs that define the routers local state information. Additionally, there are other types of LSAs that a router can send out, depending upon the routers OSPF function. The following table summarizes the LSA types:
LSA Type Router LSA Network LSA Sent By All OSPF routers Designated Router on broadcast and NBMA networks Area Border Routers Flooded Throughout Area Area Information Sent in LSA Describes the state of all router interfaces throughout the area. Contains a list of all routers connected to the network.
Summary LSA
Area
Describes a route to a destination outside the area but still inside the AS. There are two types:
- Type 3 summary-LSAs describe routes to networks. - Type 4 summary-LSAs describe routes to AS boundary routers.
AS-External
Autonomous System Boundary Router
Autonomous System
Routes to a network in another AS. Often, this is the default route (0.0.0.0/0).
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
263) RQ 1HW6FUHHQ 'HYLFHV

On NetScreen devices, OSPF is enabled on a virtual router basis and has configuration parameters at the VR level and the interface level. Since you can have multiple virtual routers in a system, you can also run multiple instances of OSPF on a single device. ScreenOS supports OSPF version 2, as defined by RFC 2328. You can also configure OSPF to be compatible with RFC 1538, an earlier version of OSPF.
263) 6XSSRUW RQ 931 7XQQHOV

OSPF is supported for IPsec VPN tunnel and requires the use of route-based VPNs. You can enable OSPF on a VPN that is bound to a single tunnel interface that can be numbered or unnumbered. After binding the VPN to the tunnel interface, you can enable and configure OSPF in the same way as a physical interface. When OSPF is enabled for a tunnel interface, the network type is point-to-point.
263) $XWKHQWLFDWLRQ
ScreenOS provides simple password and MD5 authentication to validate OSPF packets received from neighbors. Authentication can be configured at the virtual router level; in this case, all OSPF interfaces associated with the virtual router use the same authentication method. Authentication can also be configured at the interface level.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
263) ,QWHUIDFH &KDUDFWHULVWLFV

Several OSPF parameters are configurable at the interface level. The following are OSPF interface characteristics: Authentication Type - Authentication enables the interface to verify OSPF communication on the interface. Two types of authentication exist in ScreenOS: message digest (MD5) password authentication and clear-text password authentication. An MD5 authentication password requires a 16-digit password string and a clear-text password requires an eight-digit password string. The MD5 password also requires the configuration of key strings. Cost - In OSPF, a routes cost determines the desirability of the route. The cost associated with a network interface depends on the bandwidth of the link to which the interface is connected. The higher the bandwidth, the lower, or more desirable, the cost value. The default cost is 10. Dead Interval - The dead interval is the maximum amount of time that elapses before OSPF determines one of its neighbors is not running. The default is 40 seconds. Hello Interval - The OSPF routing instance sends out Hello packet at regular intervals. The default is 10 seconds. Retransmit Interval - The retransmit interval is the amount of time that elapses between LSA retransmissions for adjacencies that belong to a specified interface. The default is 5 seconds. Transit Delay - Transit delay is the amount of time required between transmissions of link-state update packets sent by the current interface. The default is 1 second. Priority - The priority is used when electing the Designated Router and Backup Designated Router. The higher the number, the more likely the OSPF routing instance is to be elected as a DR or BDR. The default is 10.
1HW6FUHHQ &RQFHSWV
263) &RPPDQGV
263) &200$1'6
Use the ospf context commands and the interface commands to configure OSPF in a NetScreen device.
263) &RQWH[W ,QLWLDWLRQ

To issue ospf context commands, do the following: 1. Enter the vrouter context by executing the set vrouter command. ns-> set vrouter vrouter where vrouter is the name of the virtual router. Enter the ospf context by executing the set protocol ospf command. ns(trust-vr)-> set protocol ospf For more information on the ospf context commands, refer to Context-Sensitive Commands in the CLI on page 2 -58. 2.
1HW6FUHHQ &RQFHSWV

%$6,& 263) &21),*85$7,21 7$6.6

The following configuration tasks are mandatory for most OSPF implementations.
(QDEOLQJ 263) ,QVWDQFHV DW WKH 9LUWXDO 5RXWHU /HYHO

You can enable or disable OSPF instances at the virtual router level or at the interface level. When you enable or disable OSPF at the virtual router level, all OSPF interfaces inside the virtual router are affected. When you enable or disable OSPF at the interface level, only the specific OSPF interface is affected. You can create an instance of OSPF in a virtual router using either the WebUI or the CLI set protocol ospf command.
([DPSOH 6WDUWLQJ DQ 263) ,QVWDQFH

In the following example, you enable OSPF in the trust-vr with default options.
:HE8,
Network > Routing > Virtual Routers > trust-vr : Select Create OSPF Instance , and then click OK .
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr)-> save Note: Use the unset protocol ospf command to disable OSPF instances.
1HW6FUHHQ &RQFHSWV

5HPRYLQJ DQ 263) 9LUWXDO 5RXWLQJ ,QVWDQFH

Use the WebUI or the CLI unset enable command to remove the OSPF routing instance from the virtual router on which it was created.
([DPSOH 'LVDEOLQJ 263)

In the following example, you disable the current OSPF routing instance.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Delete OSPF Instance.
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> unset enable ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&UHDWLQJ 263) $UHDV

To configure or display details about OSPF areas on a NetScreen devices, use either the WebUI or the CLI set area commands.
([DPSOH &UHDWH DQ 263) $UHD

In the following example, you create an OSPF stub area with an area ID of 10.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area: Enter the following, and then click OK : Area ID: 10 Type: stub Action: Add
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set area 10 stub ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

$VVLJQLQJ ,QWHUIDFHV WR $UHDV

Once an area is created at the VR level, you can assign an interface to the area, using either the WebUI or the CLI set interface command.
([DPSOH $VVLJQLQJ DQ ,QWHUIDFH WR DQ 263) $UHD

In the following example, you assign interface ethernet1 to OSPF area 10.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for Area 10) > ethernet1: Use the Add button to move the interface from the Available Interfaces column to the Selected Interfaces column. Click OK.
&/,
1. 2. ns-> set interface ethernet1 protocol ospf area 10 ns-> save
1HW6FUHHQ &RQFHSWV

5HGLVWULEXWLQJ 5RXWHV
Redistribution is the process of importing a route into the current routing domain from another part of the network that uses another routing protocol. This process allows the translation of routing information, particularly known routes, from the other routing protocol. For example, if you are on an OSPF network and a BGP network, the OSPF domain can import all known routes from the BGP network to allow devices in the OSPF routing domain to reach devices on the BGP network. When a route is redistributed, it affects the number of external LSAs generated in a given domain. For external LSAs to be advertised, the router performs redistribution. To configure route redistribution, determine which routing protocol is the source of the routes and which routing protocol is the destination, or target, protocol that will advertise these newly-learned external routes. Because different protocols are imported using different preferences, redistribution provides a local preference value as a way of comparing path desirability between protocols. When you configure route redistribution, you must first specify a route map that defines the routes to be distributed. For more information on configuring route maps, refer to Route Redistribution on page 2 -74. You can redistribute routes using either the WebUI or the CLI set redistribute route-map commands.
1HW6FUHHQ &RQFHSWV

([DPSOH 5HGLVWULEXWLQJ D %*3 5RXWH LQWR 263)

In the following example, you redistribute a route that originated from a BGP routing domain into the current OSPF routing domain. Both the CLI and WebUI examples assume that you previously created a route map called map1.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules: Enter the following, and then click Add : Route Map: map1 Protocol: BGP
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set redistribute route-map map1 protocol bgp ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

263) ,17(5)$&( &21),*85$7,21

This section describes OSPF interface configuration tasks.
'LVSOD\LQJ 263) ,QWHUIDFH 'HWDLOV

Use the CLI get interface command to display details of the interface for which you have configured an OSPF routing instance.
([DPSOH 'LVSOD\LQJ 263) ,QWHUIDFH ,QIRUPDWLRQ

In the following example, you display details of the interface for which you have configured an OSPF routing instance.
:HE8,
Note: You can only view OSPF configuration details for an interface through the CLI.
&/,
ns-> get interface ethernet1 protocol ospf VR: trust-vr RouterId: 212.1.1.1 ---------------------------------Interface: ethernet2/1 IpAddr: 20.20.20.20/16, OSPF: enabled, Router: enabled Type: Ethernet Area: 0.0.0.10 Priority: 100 Cost: 1 Transit delay: 60s Retransmit interval: 5s Hello interval: 10s Router Dead interval: 40s Authentication-Type: MD-5 Authentication-Key: **************** MD-5 KeyId: 1 State: Designated Router DR: 20.20.20.20(self) BDR: 0.0.0.0 Neighbors: Valid neighbor access list numbers in Vrouter (trust-vr) ---------------------------------------------------------------------1HW6FUHHQ &RQFHSWV ([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ
6HWWLQJ D &OHDU7H[W 3DVVZRUG RQ DQ ,QWHUIDFH

To configure a clear-text password as an authentication method for OSPF communication on an interface, use either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH &OHDU7H[W 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG

In this example, you set a clear-text password 12345678 for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Password: (select), 12345678
&/,
1. 2. ns-> set interface ethernet1 protocol ospf authentication password 12345678 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ DQ 0' 3DVVZRUG RQ DQ ,QWHUIDFH

To configure a message digest (MD5) password as an authentication method for all OSPF communication on an interface, use either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH 0' 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG

In the following example, you set a message digest password 1234567890123456 and a key ID 1 for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : MD5 Key: (select), 1234567890123456 Key ID: 1
&/,
1. 2. ns-> set interface ethernet1 protocol ospf authentication md5 1234567890123456 key 1 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D &RVW 9DOXH IRU DQ 263) ,QWHUIDFH

You can set a cost value for an OSPF interface using either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH &RVW IRU DQ 263) ,QWHUIDFH

In this example, you set a cost value for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Cost: 20
&/,
1. 2. ns-> set interface ethernet1 protocol ospf cost 20 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 'HDG ,QWHUYDO IRU DQ 263) ,QWHUIDFH

A dead interval is the maximum amount of time that can elapse before a neighbor is determined to be not running. To set a dead interval value on a physical interface on a NetScreen device, use either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH 'HDG ,QWHUYDO

In this example, you set a dead interval of 100 seconds for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Neighbor Dead Interval: 100
&/,
1. 2. ns-> set interface ethernet1 protocol ospf dead-interval 100 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D +HOOR ,QWHUYDO IRU DQ 263) ,QWHUIDFH

A Hello interval is the amount of time that elapses between instances of a hello packet being sent out to the network by the current routing instance. To set a hello interval, use either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH +HOOR ,QWHUYDO

In this example, you set a hello interval of 100 seconds for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Hello Interval: 100
&/,
1. 2. ns-> set interface ethernet1 protocol ospf hello-interval 100 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 1HLJKERU /LVW IRU DQ 263) ,QWHUIDFH

You can configure a list of peers or neighbors to the current OSPF virtual routing instance, using either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ D 1HLJKERU /LVW

In this example, you create a neighbor list for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Neighbor List: 4 | 5 | 6
&/,
1. 2. ns-> set interface ethernet1 protocol ospf neighbor-list 4 5 6 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 5HWUDQVPLW ,QWHUYDO IRU DQ 263) ,QWHUIDFH

A retransmit interval value specifies the amount of time, in seconds, that elapses before the interface resends an LSA to a neighbor that did not respond to the original LSA. You can specify a retransmit interval for an OSPF interface using either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH 5HWUDQVPLW ,QWHUYDO

In the following example, you set a retransmit interval of 100 seconds for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Retransmit Interval: 100
&/,
1. 2. ns-> set interface ethernet1 protocol ospf retransmit-interval 100 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 3ULRULW\ 9DOXH RQ DQ 263) ,QWHUIDFH

Routers on a network go through an election process to become the designated router. The designation is made by routers comparing their priority value. The router with the larger value has the best (although not guaranteed) chance of being elected the DR. You can configure a priority value on an OSPF interface using either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH 3ULRULW\ 9DOXH

In this example, you set a priority value of 100 for OSPF interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Type 100 in the Priority field, and then click Apply .
&/,
1. 2. ns-> set interface ethernet1 protocol ospf priority 100 ns-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 7UDQVLW 'HOD\ 9DOXH RQ DQ 263) ,QWHUIDFH

To set the amount of time between transmissions of link-state update packets on an interface, you need to set a transit delay value. To configure a transit delay value on an OSPF interface, use either the WebUI or the CLI set interface command.
([DPSOH &RQILJXULQJ WKH 7UDQVLW 'HOD\

In the following example, you set a transit delay of 10 seconds on OSPF interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Type 10 in the Transit Delay field, and then click Apply .
&/,
1. 2. ns-> set interface ethernet1/1 protocol ospf transit_delay 10 ns-> save
1HW6FUHHQ &RQFHSWV

263) 9,578$/ /,1. &21),*85$7,21

This section describes OSPF virtual link configuration tasks.
&UHDWLQJ D 9LUWXDO /LQN

All areas in an OSPF internetwork must connect directly to the backbone area. Sometimes, you need to create a new area that is not physically connected to the backbone area. To solve this problem you configure a virtual link. The virtual link provides a remote area with a logical path to the backbone through another area. To create or display details about a virtual link for the current routing instance, use the WebUI or the CLI set vlink commands.
([DPSOH &UHDWLQJ D 9LUWXDO /LQN WR WKH %DFNERQH $UHD

In the following example, you create a vlink using an area of 0.0.0.10 with a route ID of 10.10.10.20.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20
&/,
1. 2. ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router-id 10.10.10.20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

$XWRPDWLFDOO\ &UHDWLQJ D 9LUWXDO /LQN

You can direct a virtual router to automatically create a virtual link for instances when it cannot reach the network backbone. Having the virtual router automatically create virtual links replaces the more time-consuming process of creating each virtual link manually. You configure a virtual router to automatically create virtual links using either the WebUI or the CLI set autovlink command.
([DPSOH &UHDWLQJ DQ $XWRPDWLF 9LUWXDO /LQN

In the following example, you configure automatic virtual link creation.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Automatically generate virtual links and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set auto-vlink ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&UHDWLQJ D 0HVVDJH 'LJHVW IRU D 9LUWXDO /LQN

To enable MD5 authentication for a virtual link on an OSPF virtual routing instance, use either the WebUI or the CLI set vlink authentication md5 command.
([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK 0' $XWKHQWLFDWLRQ

In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and an MD5 password of 1234567890123456.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: Enter the following, and then click OK : Authentication MD5: (select) MD5 Key (16 characters): 1234567890123456
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area-id 0.0.0.10 router-id 10.10.10.20 authentication-type md5 1234567890123456 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D &OHDU7H[W 3DVVZRUG IRU D 9LUWXDO /LQN

To configure a clear-text password as an authentication method for a virtual link on an OSPF virtual routing instance, use either the WebUI or the CLI set vlink authentication command.
([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK &OHDU7H[W 3DVVZRUG

In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a clear-text password with a value of 12345678.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: Enter the following, and then click OK : Authentication Password: (Selected) Password (8 characters): 12345678
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area-id 0.0.0.10 router-id 10.10.10.20 authentication-type password 12345678 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&UHDWLQJ D 'HDG ,QWHUYDO IRU D 9LUWXDO /LQN 1HLJKERU

To create a dead interval for a neighbor that is reachable across a virtual link, use the WebUI or the CLI set vrouter protocol ospf vlink dead-interval command.
([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 1HLJKERU 'HDG ,QWHUYDO

In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a dead interval of 50 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Router Dead Interval field, type 50 , and then click OK :
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 dead-interval 50 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&UHDWLQJ D +HOOR ,QWHUYDO IRU D 9LUWXDO /LQN

To create a hello interval for a virtual link on an OSPF virtual routing instance, use the WebUI or the CLI set vrouter protocol ospf hello-interval command.
([DPSOH &RQILJXULQJ D 9LUWXDO /LQN +HOOR ,QWHUYDO

In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a hello interval of 30 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Hello Interval field, type 30 , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 hello-interval 30 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D 5HWUDQVPLW ,QWHUYDO IRU D 9LUWXDO /LQN

To specify the time between link-state advertisement (LSA) retransmissions for adjacencies across a virtual link interface, use the WebUI or the CLI set vlink area router retransmit-interval command.
([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 5HWUDQVPLW ,QWHUYDO

In this example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a retransmit interval of 20 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Retransmit Interval field, type 20, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 retransmit-interval 20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D 7UDQVLW 'HOD\ 9DOXH IRU D 9LUWXDO /LQN

To configure the amount of time required between transmissions of link-state update packets being sent by the current virtual link, use the WebUI or the CLI set vlink transit-delay command.
([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 7UDQVLW 'HOD\

In this example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a transit delay of 100 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Transit Delay field, type 100 , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router-id 10.10.10.20 transit-delay 100 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

263) ,QIRUPDWLRQ
263) ,1)250$7,21
This section describes tasks for displaying OSPF information.
'LVSOD\LQJ 6WDWLVWLFV IRU DQ 263) 5RXWLQJ ,QVWDQFH

Use the CLI get statistics command to display information about the following objects associated with an OSPF routing instance: Hello Packets Link State Requests Link State Acknowledgments Link State Updates Database Descriptions Areas Created Shorted Path First Runs Packets Dropped Errors Received Bad Link State Requests
([DPSOH 'LVSOD\LQJ 263) 6WDWLVWLFV

In the following example, you display information about various statistics recorded for OSPF in the trust-vr virtual router.
:HE8,
Note: You can only display these statistics through the CLI.
1HW6FUHHQ &RQFHSWV

263) ,QIRUPDWLRQ
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get statistics VR: untrust-vr RouterId: 0.0.0.0 ---------------------------------Packet Type Transmit Receive --------------------------------------------------------------------Hello 0 0 LS Request 0 0 LS Acknowledge 0 0 LS Update 0 0 Database Desc 0 0 AreaId SPF Runs -------------------------------------------0.0.0.0 1 0.0.0.10 0 Packets Dropped: None Receive Errors: None Bad LS Requests: 0 Note: Use the clear command to reset all packet types to 0.
1HW6FUHHQ &RQFHSWV

263) ,QIRUPDWLRQ
'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWLRQ &RQGLWLRQV

Use either the WebUI or the CLI get rules-redistribute command to display details about conditions set for routes that have been imported from a non-OSPF router in another routing domain.
([DPSOH 'LVSOD\LQJ 5HGLVWULEXWLRQ &RQGLWLRQV

In the following example, you display the currently-configured redistribution rules.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get rules-redistribute VR: trust-vr RouterId: 1.1.1.2 ---------------------------------trust-vr ========== Redistribution Rules -------------------------------------------------IP-Prefix Source-Protocol Cost ASE-Type Tag ------------------------------------------------------------------------------100.123.1.4/16 any 10 1 0.0.0.10
1HW6FUHHQ &RQFHSWV

263) ,QIRUPDWLRQ
'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWHG 5RXWHV

Use the routes-redistribute command to display details about routes that have been imported from a non-OSPF router in another routing domain by the current OSPF virtual routing instance.
([DPSOH 'LVSOD\LQJ 5HGLVWULEXWHG 5RXWHV 'HWDLOV

In the following example, you display information about routes that have been imported from a non-OSPF router in another routing domain by the current OSPF routing instance.
:HE8,
Note: You can only display these details through the CLI.
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get routes-redistribute VR: trust-vr RouterId: 1.1.1.2 ---------------------------------IP-Prefix Cost ASE-Type Forwarding-IP Tag ---------------------------------------------------------------1.1.1.0 20 1 0.0.0.0 0.0.0.0
1HW6FUHHQ &RQFHSWV

263) ,QIRUPDWLRQ
'LVSOD\LQJ 2EMHFWV LQ WKH 263) 'DWDEDVH

Use the CLI get database command to display objects in the current OSPF routers database.
([DPSOH 'LVSOD\LQJ 263) 'DWDEDVH 2EMHFWV

In the following example, you display details about route LSAs for area 0 in the OSPF database of the current OSPF routing instance.
:HE8,
Note: You can only use the CLI to display these statistics.
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get database area 0 router Link-State-Id Adv-Router-IDAge Sequence Checksum ---------------------------------------------------------20 1.1.1.0 20 2 1
1HW6FUHHQ &RQFHSWV

263) ,QIRUPDWLRQ
'LVSOD\LQJ 6WXE 'HWDLOV

Use the WebUI or the CLI get stub command to display details about a stub area that has been created on the current OSPF virtual routing instance.
([DPSOH 'LVSOD\LQJ 6WXE $UHD 'HWDLOV

In the following example, you display the stub type created on the current OSPF routing instance.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get stub VR: untrust-vr RouterId: 0.0.0.0 ---------------------------------Area-ID: 0.0.0.10 (Stub) Total number of interfaces is 0, Active number of interfaces is 0 Route Imports: None, SPF Runs: 0 Number of ABR(s): 0, Number of ASBR(s): 0 Number of LSA(s): 0, Checksum: 0x0 Default route metric type is ext-type-1, metric is 1 Type-3 LSA Filter: disabled
1HW6FUHHQ &RQFHSWV

263) ,QIRUPDWLRQ
'LVSOD\LQJ 263) &RQILJXUDWLRQ

Use the CLI get config command to display the OSPF configuration.
([DPSOH /LVW 263) &RQILJXUDWLRQ &RPPDQGV

In the following example, you display a list of all OSPF configuration commands.
:HE8,
Note: To view the OSPF commands, you must use the CLI.
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get config VR: untrust-vr RouterId: 0.0.0.0 ---------------------------------set protocol ospf set disable set auto-vlink set advertise-def-route always metric 10 metric-type 1 set area 0.0.0.10 nssa exit
1HW6FUHHQ &RQFHSWV

27+(5 263) &21),*85$7,21

This section describes tasks for displaying OSPF information.
%LQGLQJ 263) WR D 7XQQHO ,QWHUIDFH

To bind a tunnel interface to an OSPF routing instance on a NetScreen device, use either the WebUI or the CLI set interface tunnel command.
([DPSOH %LQGLQJ D 7XQQHO WR DQ 263) 5RXWLQJ ,QVWDQFH

In the following example, you bind OSPF to the tunnel interface tunnel.1.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure: Enter the following, and then click Apply : Available Interfaces: tunnel.1 Use the Add button to move the tunnel.1 interface from the Available Interfaces column to the Selected Interfaces column.
&/,
1. 2. ns-> set interface tunnel.1 protocol ospf ns-> save
1HW6FUHHQ &RQFHSWV

$QQRXQFLQJ D 'HIDXOW 5RXWH LQ $OO $UHDV

Every router has a default route in its routing table. The default route matches every destination network in a routing table, although a more specific prefix overrides the default route. Typically, the default route is 0.0.0.0/0. Use either the WebUI or the CLI set advertise-default-route command to advertise or display the current default route throughout an AS.
([DPSOH $GYHUWLVLQJ WKH 'HIDXOW 5RXWH

In the following example, you advertise the current OSPF routing instances default route.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Advertising Default Route Enable , and then click OK . Note: The default metric is 1 and the default metric-type is ASE type 1.
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set advertise-default-route always metric 1 metric-type 1 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ 6XPPDU\ 5RXWHV

In large internetworks, hundreds or even thousands of network addresses can exist. In these environments, some routers may become overly congested with route information. Route aggregation, also called route summarization, reduces the number of routes that a router must maintain because it represents a series of network addresses as a single summary address. Another advantage to using route summarization in a large, complex network is that it can isolate topology changes from other routers. That is, if a specific link in a given domain is intermittently failing, the summary route would not change, so no router external to the domain would need to keep modifying its routing table due to the link failure. In addition to creating fewer entries in the routing tables on the backbone routers, route summarization prevents the propagation of LSAs to other areas when one of the summarized networks goes down or comes up. You can summarize inter-area routes or external routes. Once you have redistributed a series of routes from an external protocol to the current OSPF routing instance, you can bundle the routes into one generalized or summarized network route. By summarizing multiple addresses, you enable a series of routes to be recognized as one route, simplifying the process. Note that you need a route map to perform a redistribution. Use either the WebUI or the CLI set summary-import command to summarize route redistribution.
1HW6FUHHQ &RQFHSWV

([DPSOH 6XPPDUL]LQJ 5HGLVWULEXWHG 5RXWHV

In the following example, you summarize a set of redistributed routes under the network address 2.1.1.0/16.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Summary Import: Enter the following, and then click Add : IP/Netmask: 2.1.1.0/16 Tag: 20
&/,
1. 2. 3. 4. 5. 6. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set redistribute route-map abcd protocol static ns(trust-vr/ospf)-> set redistribute route-map abcd protocol bgp ns(trust-vr/ospf)-> set summary-import 2.1.1.0/16 tag 20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

5HPRYLQJ D 'HIDXOW 5RXWH

Use either the WebUI or the CLI set reject-default-route command to remove a default route learned from OSPF.
([DPSOH 5HPRYLQJ WKH 'HIDXOW 5RXWH IURP WKH 5RXWH 7DEOH

In the following example, you specify that a default route not be learned from OSPF.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the Do not add default-route learned in OSPF check box and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set reject-default-route ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ DQ $UHD 5DQJH

Configuring an area range allows an area border router to summarize the networks advertised within an area. An area range allows a group of subnets to be consolidated into a single network address to be advertised in a summary link advertisement. When you configure an area range, you can also specify whether to advertise or to withhold the area range defined. To configure an area range, use either the WebUI or the CLI set area command.
([DPSOH &RQILJXULQJ DQ $UHD 5DQJH

In the following example, you create an area range of 20.20.0.0/16 for the area 0.0.0.10.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for 0.0.0.10): Enter the following, and then click OK : IP: 20.20.0.0 NetMask: 255.255.0.0 Type: (select) Advertise Action: Add
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set area 0.0.0.10 range 20.20.0.0/16 advertise ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D +HOOR )ORRG $WWDFN 7KUHVKROG

Use the WebUI or the CLI set hello-threshold command to configure the maximum number of hello packets allowed within a specified amount of time.
([DPSOH &RQILJXULQJ WKH +HOOR 7KUHVKROG

In the following example, you configure a threshold of 20 packets.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following, and then click Apply : Prevent Hello Packet Flooding Attack: On Max hello packet: 20
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set hello-threshold 20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ DQ /6$ 7KUHVKROG

Link State Advertisements (LSAs) enable OSPF routers to provide device, network, and routing information for the link state database. Each router retrieves information from the LSAs sent by other routers on the network to distill path information for the routing table. LSA flood protection enables you to manage the number of LSAs entering the virtual router. If the virtual router receives too many LSAs, the router fails because of LSA flooding. To set the number of LSAs that the virtual router receives within a certain amount of time, use either the WebUI or the CLI set lsa-threshold command to configure a maximum number of LSAs that can be received per neighbor per LSA interval to prevent LSA flooding.
([DPSOH &RQILJXULQJ WKH /6$ 7KUHVKROG

In this example, you create an OSPF LSA flood attack threshold of 10 packets per 10 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following, and then click OK : LSA Packet Threshold Time: 10 Maximum LSAs: 10
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set lsa-threshold 10 10 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ DQ 5)& (QYLURQPHQW

Use the set rfc-1583 commands to set or display OSPF as specified by the Request for Comments 1583 document.
([DPSOH &KDQJH WR DQ 5)& (QYLURQPHQW

In the following example, you change your environment to one that is compatible with one specified by RFC 1583.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the rfc-1583 compatible check box, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set rfc-1583 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV

8uhr!
%*3 7DVN 5HIHUHQFH
BGP is a routing protocol for communication between autonomous systems (ASs) on the internet. Peer routers in each AS use BGP to exchange routing information. Each BGP peer router requires explicit configuration with the network-layer reachability information it advertises to (and accepts from) peer devices. This chapter describes important and commonly-used procedures for configuring your local virtual router for BGP environments. The BGP Commands on page 53 Basic BGP Configuration Tasks on page 57 Creating a BGP Instance of the Virtual Router on page 57 Specifying Reachable Networks from an AS on page 58 Enabling Aggregate Routes on page 59 Enabling Redistribution on page 60 Configuring a BGP Neighbor on page 61 Enabling a BGP Peer with an IP Address on page 62 Configuring a Hold Timer on page 63 Configuring a Keepalive Timer on page 64 Enabling Route Flap Damping on page 65 Discarding Default Route Advertisements from a Peer Router on page 66 Advanced BGP Configuration Tasks on page 67 Applying a Route Map to Routes from Specified Neighbors on page 67 Assigning a Weight to a Path on page 68 Setting an AS Path Access List on page 69 Configuring a Community List on page 70
1HW6FUHHQ &RQFHSWV

Setting a Local Preference on page 73 Setting a Multi-Exit Discriminator (MED) on page 74 Setting a Multi-Exit Discriminator (MED) Comparison on page 75 Configuring a Route Reflector on page 76 Setting a Neighbor as a Route Reflector Client on page 77 Configuring a Confederation on page 78 Adding an AS Member to a Confederation on page 79
1HW6FUHHQ &RQFHSWV

7KH %*3 &RPPDQGV
7+( %*3 &200$1'6

This section briefly describes the BGP context, and the CLI commands that configure a local virtual router to use BGP protocol. Note: For more information on the BGP commands, see the NetScreen CLI Reference Guide.
&RQWH[W ,QLWLDWLRQ
Before you can execute a BGP command, you must initiate the bgp context. Initiating the bgp context requires two steps: 1. Enter the vrouter context by executing the set vrouter command: ns-> set vrouter vrouter where vrouter is the name of the virtual router. (For this example, vrouter is the trust-vr virtual router.) 2. Enter the bgp context by executing the set protocol bgp command. ns(trust-vr)-> set protocol bgp For more information on contexts, see Context-Sensitive Commands in the CLI on page 2 -58.
1HW6FUHHQ &RQFHSWV

7KH %*3 &RPPDQGV
%DVLF %*3 &RPPDQG 'HVFULSWLRQV

The following commands are executable in the bgp context. aggregate
Use aggregate commands to create, display, or delete aggregates. Aggregation is a technique for summarizing a range of routing addresses into a single route entry, expressed as an IP address and a subnet mask. Aggregates can reduce the size of a routing table on a router, while maintaining its level of connectivity. In addition, aggregation can reduce the number of advertised addresses, thus reducing overhead. Command options: get, set, unset
Use the always-compare-med commands to enable, disable, or display the current always-compare-med setting. When you enable this setting, the NetScreen device compares paths from each autonomous system (AS) using the Multi-Exit Discriminator (MED). The MED determines the most suitable entry or exit point to each neighbor AS. Command options: get, set, unset
always-compare-med
as-path-access-list
Use as-path-access-list commands to create, remove, or display a regular expression in an AS-Path access list. An AS-path access list serves as a packet filtering mechanism. The NetScreen device can consult such a list and permit or deny BGP packets based on the regular expressions contained in the list. Command options: get, set, unset Use community-list commands to enter a router in a community list, to remove a router from the list, or to display the list. A community consists of routes containing the same community attribute. This attribute is an identifier that classifies the routes according to some useful criterion. All routes with the same community attribute are said to be members of the same community. Routers can use the community attribute when they need to treat two or more advertised routes in the same way. Command options: get, set, unset
community-list
1HW6FUHHQ &RQFHSWV

7KH %*3 &RPPDQGV
confederation
Use the confederation commands to create a confederation, to remove a confederation, or to display confederation information. Confederation is a technique for dividing an AS into smaller sub-ASs and grouping them. Using confederations reduces the number of connections inside an AS, thus simplifying the routing process. Command options: get, set, unset Use the enable commands to enable or disable BGP. Command options: get, set, unset Use the flap-damping commands to enable or disable the flap-damping setting. Enabling this setting blocks the advertisement of a route until the route becomes stable. Flap damping allows the NetScreen device to contain routing instability at an AS border router, adjacent to the region where instability occurs. Command options: get, set, unset Use the hold-time commands to specify or display the maximum amount of time (in seconds) that can elapse between messages received from the BGP neighbor. Command options: get, set, unset ignore-default-route setting. Enabling this setting makes the NetScreen device ignore default route advertisements from the BGP peer router. Command options: get, set, unset
enable flap-damping
hold-time
ignore-default-route Use the ignore-default-route commands to enable, disable, or display the
keepalive
Use the keepalive commands to specify the amount of time (in seconds) that elapses between keepalive packet transmissions. These transmissions ensure that the TCP connection between the local BGP router and a neighbor router is up. Command options: get, set, unset Use the local-pref command to configure the LOCAL_PREF metric on a BGP router. This metric expresses preference for one set of paths over another. Command options: get, set, unset
local-pref
1HW6FUHHQ &RQFHSWV

7KH %*3 &RPPDQGV
med
Use the med commands to specify or display the local Multi-Exit Discriminator (MED) ID number. The MED determines the most suitable entry or exit point when there are multiple exit/entry points to the same neighbor autonomous system (AS). Command options: get, set, unset Use the neighbor commands to set or display general configuration parameters for the local BGP virtual router. The device uses these parameters while establishing a BGP connection to another autonomous system (AS). Command options: clear, exec, get, set, unset Use the network commands to create, display, or delete network and subnet entries. The BGP virtual router advertises these entries to peer devices, without first requiring redistribution into BGP (as with static routing table entries). Command options: get, set, unset Use the redistribute commands to import routes advertised by external routers that use protocols other than BGP, or to display the current redistribute settings. Command options: get, set, unset Use the reflector commands to allow the local BGP virtual router to serve as a route reflector. A route reflector is a router that passes Interior BGP (IBGP) learned routes to specified IBGP neighbors (clients), thus eliminating the need for each router in a mesh to talk to every other router. The clients use the route reflector to readvertise routes to the entire autonomous system (AS). Command options: get, set, unset Use the synchronization command to enable synchronization with Interior Gateway Protocol (IGP). Command options: set, unset
neighbor
network
redistribute
reflector
synchronization
1HW6FUHHQ &RQFHSWV

%$6,& %*3 &21),*85$7,21 7$6.6

The following configuration tasks are mandatory for most BGP implementations.
&UHDWLQJ D %*3 ,QVWDQFH RI WKH 9LUWXDO 5RXWHU

To enable or disable a specific BGP virtual routing instance, use the WebUI or the CLI set enable commands.
([DPSOH 6WDUWLQJ D 9LUWXDO 5RXWLQJ ,QVWDQFH

Note: A virtual router (such as trust-vr) can have only one BGP virtual routing instance at a time. Consequently, you cannot create a new BGP virtual routing instance if one already exists. In the following example, you start a virtual routing instance (with AS ID 20) and enable BGP.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Create BGP Instance: Enter the following, and then click OK : AS Number (required): 20 BGP Enabled: (select)
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp 20 ns(trust-vr/bgp)-> set enable ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

6SHFLI\LQJ 5HDFKDEOH 1HWZRUNV IURP DQ $6

During the initial setup of your BGP network, you need to construct a list of networks that are reachable from the virtual router. The BGP virtual router advertises these network entries to peer devices, without first requiring redistribution into BGP (as with static routing table entries). To make entries in the network list, use the WebUI or the CLI set network commands.
([DPSOH 0DNLQJ D 1HWZRUN 5HDFKDEOH IURP WKH /RFDO 9LUWXDO 5RXWHU

In the following example, you make a network (192.169.1.0/24) reachable from the local virtual router.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Networks: Enter 192.168.1.0/24 in the IP/Netmask field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set network 192.169.1.0/24 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

(QDEOLQJ $JJUHJDWH 5RXWHV

Aggregation summarizes a range of routing addresses into a single route entry expressed as an IP address and a subnet mask. You can create, display, or delete BGP aggregates using the WebUI or the CLI set aggregate commands.
([DPSOH 0DNLQJ DQ $JJUHJDWH 5RXWH (QWU\

For the following example, assume that the internetwork contains the following subnets of 192.168.10.0/24: 192.168.10.0/28 192.168.10.16/28 192.168.10.32/28 192.168.10.128/30
Instead of sending individual routes for each, you aggregate them into one advertisement (192.168.10.0/24).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Aggregate Address: Enter the following, and then click OK : IP/Netmask: 192.168.10.0/24 Aggregate State: Enable: (select)
&/,
1. 2. 3. 4. 5. 6. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> unset enable ns(trust-vr/bgp)-> set aggregate ip 192.168.10.0/24 ns(trust-vr/bgp)-> set enable ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
(QDEOLQJ 5HGLVWULEXWLRQ
When a virtual router learns about routes from other dynamic protocols (or by static configuration) it does not automatically advertise the routes to the BGP peers. You must first import the routes into the BGP protocol. To import such routes, or to display the current route redistribution settings, use the WebUI or the CLI set redistribute commands. For more information on importing route redistribution rules and on importing routes, see Route Redistribution on page 2 -74.
([DPSOH &UHDWLQJ D 5HGLVWULEXWLRQ 5XOH

In the following example, you create a redistribution rule for all routes learned from OSPF, and filter the routes according to an existing route map (Corp_Office).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Redist Rules : Enter the following, and then click OK : Route Map: Corp_Office Protocol: OSPF
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set redistribute route-map Corp_Office protocol ospf ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D %*3 1HLJKERU

Before two BGP devices can communicate and exchange routes, they need to identify each other so they can start a BGP session. To identify a neighbor to the virtual router, use the WebUI or the set neighbor commands. Note: If the neighbor is in the same AS as the local BGP speaker, the two devices use IBGP to establish a connection.
([DPSOH &RQILJXULQJ WKH 9LUWXDO 5RXWHU IRU D 1HLJKERU

In the following example, you configure the virtual router for a connection with a neighbor. This neighbor has the following attributes: IP address 192.4.55.4 Resides in an AS with ID 20
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors: Enter the following and then click Add : AS Number: 20 Remote IP: 192.4.55.4
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.4.55.4 remote-as 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

(QDEOLQJ D %*3 3HHU ZLWK DQ ,3 $GGUHVV

After setting up a connection between the virtual router and a neighbor, you must enable the connection. To perform this operation, use the WebUI or the CLI set neighbor commands.
([DPSOH (QDEOLQJ D %*3 3HHU &RQQHFWLRQ

In the following example, you enable a connection between the local virtual router and a BGP neighbor (192.4.55.4).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.4.55.4): Select Peer Enabled , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.4.55.4 enable ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D +ROG 7LPHU

As your network becomes mature, you may need to alter the maximum time interval between messages transmitted from a BGP speaker to its neighbor. To specify or display this interval, use the WebUI or the CLI hold-time commands.
([DPSOH 6HWWLQJ WKH +ROG7LPH 9DOXH

In the following example, you set the hold-time value to 60 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following and then click OK : Hold Time: Enable (select) Hold Time: 60
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set hold-time 60 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D .HHSDOLYH 7LPHU

Keepalive transmissions ensure that the TCP connection between the local BGP router and a neighbor router is still up. To set or display the time interval (in seconds) that can elapse between keepalive packet transmissions, use the WebUI or the CLI keepalive commands.
([DPSOH 6HWWLQJ WKH .HHSDOLYH 7LPHU

In the following example, you create a keepalive value of 20.
:HE8,
Note: You cannot specifically set a value for the keepalive interval through the WebUI. However, because the keepalive value is always 1/3 of the Hold Time value, by setting the Hold Time value at 60 seconds, you indirectly set the keepalive value to 20 seconds. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Hold Time Enable , type 60 in the Hold Time field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set keepalive 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

(QDEOLQJ 5RXWH )ODS 'DPSLQJ

Flap damping contains routing instability at an AS border router, adjacent to the region where instability occurs. The flap-damping setting blocks the advertisement of a route until the route becomes stable. To enable or disable this setting, use the WebUI or the CLI set flap-damping commands.
([DPSOH (QDEOLQJ )ODS 'DPSLQJ

In the following example, you enable flap damping on the BGP instance configured on the Trust-VR.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Route flap damping state , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set flap-damping ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

'LVFDUGLQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV IURP D 3HHU 5RXWHU

You can instruct the BGP instance configured on a virtual router to ignore default route advertisements from its BGP peer. To enable, disable, or display this setting, use the WebUI or the CLI ignore-default-route commands.
([DPSOH ,JQRULQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV

In the following example, you enable the BGP instance defined on the Trust-VR to ignore default route advertisements that it receives from its BGP peer.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Ignore default route from peer, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set ignore-default-route ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

$'9$1&(' %*3 &21),*85$7,21 7$6.6

The following configuration tasks are optional, and are necessary only in advanced network environments.
$SSO\LQJ D 5RXWH 0DS WR 5RXWHV IURP 6SHFLILHG 1HLJKERUV

A route map acts as a filter for routes going to and from BGP neighbors. To apply route map entries to incoming and outgoing routes from specified neighbors, use the WebUI or the CLI set neighbor commands.
([DPSOH $SSO\LQJ 5RXWH 0DSV

In the following example, you apply two existing route maps (ID numbers 10 and 15) to an existing neighbor configuration (192.168.1.182).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.168.1.182): Enter the following, and then click OK : Incoming Map-Tag: 10 Outgoing Map-Tag: 15 Peer Enabled: (select)
&/,
1. 2. 3. 4. 5. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.168.1.182 route-map 10 in ns(trust-vr/bgp)-> set neighbor 192.168.1.182 route-map 15 out ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

$VVLJQLQJ D :HLJKW WR D 3DWK

The weight value represents the priority of the route between the local BGP virtual routing instance and the neighbor. The higher this value, the greater the priority of the route. To set this priority, use the WebUI or the CLI set neighbor commands.
([DPSOH 6SHFLI\LQJ D :HLJKW 9DOXH

In the following example, you specify a weight value of 30 for the BGP neighbor at IP address 192.4.55.4.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.168.1.182): Type 30 in the Weight field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.4.55.4 weight 30 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ DQ $6 3DWK $FFHVV /LVW

An AS-path access list serves as a packet filtering mechanism. The NetScreen device permits or denies BGP packets based on the regular expressions contained in the list. To create, remove or display a regular expression in an AS-Path access list, use the WebUI or the CLI as-path-access-list commands. Specify the criteria in the AS Path String field:
Expression Description ^ $ Specifies the start of a path. Specifies the end of a path.
([DPSOH &UHDWLQJ DQ (QWU\ LQ WKH $6 3DWK $FFHVV /LVW

In the following example, you create an AS path access list entry (with ID 10) matching any path beginning with 100.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > AS Path: Enter the following and then click Add : AS Path Access List ID: 10 Permit: Permit AS Path String: ^100 Action: Add
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set as-path-access-list 10 permit ^100 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
&RQILJXULQJ D &RPPXQLW\ /LVW

A community consists of routes containing the same community attribute. This attribute is an identifier that classifies the routes according to some useful criterion. All routes with the same community attribute are said to be members of the same community. Routers can use the community attribute when they need to treat two or more advertised routes in the same way. To assign a route to a community, remove a route from the community, or display the community attribute, use the WebUI or the CLI community-list commands. Note: Guidelines concerning when and how to use communities is beyond the scope of this manual.
([DPSOH &UHDWLQJ D &RPPXQLW\ /LVW

In the following example, you configure a community on two devices (Peer A and Peer B). On Peer A, you configure a community-list with ID 1, using attribute 100:500. You then configure a static route for an internal network, which Peer A advertises to Peer B along with the community attribute. The community attribute enables Peer B to selectively insert this static route into its routing table. Then you create two access lists (ACLs) and apply them to two route-maps configured for route redistribution. This allows insertion of the connected and static routes into the local routing table. Finally, you configure neighbor settings, which allow the device to append routing updates with the community attributes specified in the route-map. On Peer B, you configure a community-list with ID 1 using attribute 100:500. You then configure an access-list and apply it to a route-map configured for route redistribution. You then apply the route-map to the access-list, so Peer B can insert the static route received from Peer A (with community 100:500 appended) into the local routing table. Finally, you configure neighbor settings, which associate the route-map with Peer A.
1HW6FUHHQ &RQFHSWV

&/, 3HHU $
&RPPXQLW\ /LVW
1. 2. 3. 4. 5. 6. 7. 8. 9. ns-> set vrouter trust-vr ns(trust-vr)->set protocol bgp ns(trust-vr/bgp)-> set community-list 1 permit 6554100 ns(trust-vr/bgp)-> exit ns(trust-vr)-> set route 10.1.1.0/24 interface ethernet3 gateway 192.128.1.254 ns(trust-vr)-> set access-list 1 ns(trust-vr)-> set access-list 1 permit ip 0.0.0.0/0 1 ns(trust-vr)-> set access-list 2 ns(trust-vr)-> set access-list 2 permit ip 10.1.1.0/24 1
6WDWLF 5RXWH $FFHVV /LVW IRU DOO QHWZRUNV
$FFHVV /LVW IRU QHWZRUN
5RXWH 0DS $&/

10. ns(trust-vr)-> set route-map name Import_ACL1 permit 90 11. ns(trust-vr)-> set match ip 1 12. ns(trust-vr)->exit
5RXWH 0DS $&/

13. ns(trust-vr)-> set route-map name Import_ACL2 permit 100 14. ns(trust-vr)-> set match ip 2 15. ns(trust-vr)-> set community 1
5RXWH 5HGLVWULEXWLRQ
16. ns(trust-vr)-> set protocol bgp redistribute route-map Import_ACL1 protocol connected 17. ns(trust-vr)-> set protocol bgp redistribute route-map Import_ACL2 protocol static
1HW6FUHHQ &RQFHSWV

1HLJKERU
18. ns(trust-vr)-> set neighbor 172.16.1.254 send-community 19. ns(trust-vr)-> set neighbor 172.16.1.254 route-map Import_ACL2 out 20. ns(trust-vr/bgp)-> save
&/, 3HHU %
&RPPXQLW\ /LVW
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)->set protocol bgp ns(trust-vr/bgp)-> set community-list 1 permit 6554100
$FFHVV /LVW IRU DOO QHWZRUNV

4. 5. ns(trust-vr/bgp)-> set access-list 1 ns(trust-vr/bgp)-> set access-list 1 permit ip 0.0.0.0/0 1
5RXWH 0DS $&/

6. 7. 8. ns(trust-vr/bgp)-> set route-map name Import_Comm1 permit 90 ns(trust-vr/bgp)-> set match ip 1 ns(trust-vr/bgp)-> set match community 1
5RXWH 5HGLVWULEXWLRQ
9. ns(trust-vr/bgp)-> set protocol bgp redistribute route-map Import_Comm1 protocol imported
1HLJKERU
10. ns(trust-vr/bgp)-> set neighbor 172.16.1.254 route-map Import_Comm1 in 11. ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D /RFDO 3UHIHUHQFH

The degree to which the virtual router prefers one external route over another depends upon the LOCAL_PREF attribute. The higher the LOCAL_PREF value, the greater the preference. Routers always advertise this attribute to internal peers (that is, peers in the same AS) and to neighboring confederations, never to external peers. When a router receives a route that contains the LOCAL_PREF value, the router does not modify the route. Non-BGP routes advertised by a BGP router have a LOCAL_PREF value of 100 by default. To set or display the LOCAL_PREF attribute, use the WebUI or the CLI local-pref commands.
([DPSOH 6HWWLQJ WKH /RFDO 3UHIHUHQFH

In the following example, you configure a local preference value of 20 for all non-BGP routes advertised to IBGP peers.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Parameters: Type 20 in the Local Preference field, and then click OK .
&/,
1. 2. ns(trust-vr/bgp)-> set local-pref 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0('

The Multi-Exit Discriminator (MED) is an optional attribute used for selecting an external BGP connection when there are multiple connections to the same AS. When all other factors are equal, the virtual router uses the connection with the lowest MED value. If an EGBP update contains a MED value, the router sends the MED to all IGBP peers within the AS. If you assign a MED to the virtual router, this value overrides any MEDs received in update messages from external peers. To set or display the MED value, use the WebUI or the CLI med commands.
([DPSOH 6HWWLQJ D 0('

In the following example, you override the default value (100) with a value of 20. When the virtual router readvertises the external routes to IBGP peers, the routes have a MED value of 20.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Type 20 in the Default MED field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set med 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0(' &RPSDULVRQ

You can enable the BGP instance configured on a virtual router to compare paths from each autonomous system (AS) using the Multi-Exit Discriminator (MED). The MED determines the most suitable entry or exit point to each neighbor AS. To enable, disable, or display this setting, use the WebUI or the CLI always-compare-med commands.
([DPSOH 6HWWLQJ D 0(' &RPSDULVRQ

In the following example, you enable the BGP instance on the Trust-VR to compare paths it receives from each AS.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Always compare med state , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set always-compare-med ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D 5RXWH 5HIOHFWRU

A route reflector is a router that passes Interior BGP (IBGP) learned routes to specified IBGP neighbors (clients). This makes it unnecessary for each router in a mesh to talk to every other router. The clients use the route reflector to readvertise routes to the entire autonomous system (AS). To configure a route reflector, use the WebUI or the CLI set reflector command.
([DPSOH 'HVLJQDWLQJ D 5RXWH 5HIOHFWRU

In the following example, you designate a route reflector in a cluster (ID number 10).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following, and then click OK : Route Reflector: Enable Cluster ID: 10
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set reflector cluster-id 10 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

6HWWLQJ D 1HLJKERU DV D 5RXWH 5HIOHFWRU &OLHQW

After setting up a route reflector to communicate route information, you must configure client devices that receive the information. To configure an IBGP neighbor as a client, use the CLI neighbor commands.
([DPSOH &RQILJXULQJ DQ ,%*3 1HLJKERU

In the following example, you configure an IBGP neighbor (292.55.4.3) as a client.
:HE8,
Note: To set a neighbor as a route reflector client, you must use the CLI.
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.55.4.3 reflector-client ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

&RQILJXULQJ D &RQIHGHUDWLRQ
A confederation divides an AS into smaller sub-ASs and groups them, thus reducing the number of connections inside the AS, and simplifying the routing matrices created by meshes. To create a confederation, remove a confederation, or display confederation information, use the WebUI or the CLI confederation commands.
([DPSOH &UHDWLQJ D &RQIHGHUDWLRQ

In the following example, you create a confederation (200) and add a member (30).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Enter the following and then click OK : Enable: (select) ID: 200 Supported RFC: RFC 1965 Peer Member Area ID: 30
&/,
1. 2. 3. 4. 5. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set confederation id 200 ns(trust-vr/bgp)-> set confederation peer 30 ns(trust-vr/bgp)-> save Note: It is not necessary to specify RFC 1965. NetScreen BGP confederations support this RFC by default.
1HW6FUHHQ &RQFHSWV

$GGLQJ DQ $6 0HPEHU WR D &RQIHGHUDWLRQ

To add an AS to a confederation, use the WebUI or the CLI set confederation { ... } peer command.
([DPSOH $GGLQJ D 1HZ &RQIHGHUDWLRQ

In the following example, you add an AS (45040) to a confederation.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Type 45040 in Peer member area ID, and then click Add :
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set confederation peer 45040 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV

1HW6FUHHQ &RQFHSWV

,QGH[
,QGH[
%
BGP advertisements 55 aggregates 54, 59 AS path access list 54, 69 community lists 54 confederation 79 confederations 55, 78 default route 55 flap-damping 55 hold time 55 hold timer 63 keepalive 55 keepalive timer 64 local preference 55, 73 multi-exit discriminator (MED) 54, 56 neighbor 56 peer enabling 55, 62 reachable networks 56, 58 redistribution 56 route maps 67 route reflector 77 route reflectors 56, 76 synchronization 56 virtual routing instance 57 weight 68
2
OSPF adjacency 5 Area Border Router 4 area range 47 areas 3, 13 AS Boundary Router 4 authentication methods 8 backbone area 3 Backbone Router 4 backup designated router 5 broadcast networks 5 clear-text password 18, 30 configuration commands 41 context 10 cost 20 database 39 dead interval 21, 31 default route 43, 46 designated router 5 hello interval 22, 32 hello protocol 5 hello threshold 48 instance 11, 12 instances 8 interface 17 interface characteristics 9 interfaces 14 Internal Router 4 link state advertisements 7 link-state advertisements 3 link-state database 3 LSA threshold 49 MD5 password 19, 29 neighbor list 23
neighbor routers 5 network types 5 non-broadcast networks 6 Not So Stubby Area 4 overview 3 point-to-point networks 6 priority 25 retransmit interval 24, 33 RFC 1538 8 RFC 1583 50 RFC 2328 8 route redistribution 15, 38 route redistribution rules 37 routing instance, creating 11 statistics 35 stub area 4, 40 summary route 44 Totally Stubby Area 4 transit delay 26, 34 tunnel interface 42 virtual link 27, 28 VPN tunnel support 8
&
CLI conventions vii command set admin 69, 70, 75 conventions CLI vii WebUI vi
6
set commands admin 69, 70, 75
:
WebUI, conventions vi
1HW6FUHHQ &RQFHSWV
,;,
,QGH[
1HW6FUHHQ &RQFHSWV
,;,,

1Hw6Fuhhq&Rqfhsw ( (Dpsohv

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1Hw6Fuhhq&Rqfhsw ( (Dpsohv

Uploaded by

Copyright:

Available Formats

1HW6FUHHQ &RQFHSW

6FUHHQ26 5HIHUHQFH *XLGH

6FUHHQ26  31  5HY )

%DVLF 263) &RQILJXUDWLRQ 7DVNV 

1HW6FUHHQ 'RFXPHQWDWLRQ  L[

&KDSWHU  263) 7DVN 5HIHUHQFH 

263) ,QWHUIDFH &RQILJXUDWLRQ 

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

263) ,QIRUPDWLRQ 

263) 9LUWXDO /LQN &RQILJXUDWLRQ 

2WKHU 263) &RQILJXUDWLRQ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  %*3 7DVN 5HIHUHQFH

$GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 

%DVLF %*3 &RQILJXUDWLRQ 7DVNV

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

:HE8, 1DYLJDWLRQ &RQYHQWLRQV

([DPSOH 2EMHFWV ! $GGUHVVHV ! /LVW ! 1HZ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

$YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

&KDSWHU  263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

/LQN 6WDWH $GYHUWLVHPHQWV

Autonomous System Boundary Router

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

263) RQ 1HW6FUHHQ 'HYLFHV

263) 6XSSRUW RQ 931 7XQQHOV

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

263) ,QWHUIDFH &KDUDFWHULVWLFV

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

263) &RQWH[W ,QLWLDWLRQ

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

%DVLF 263) &RQILJXUDWLRQ 7DVNV

%$6,& 263) &21),*85$7,21 7$6.6

(QDEOLQJ 263) ,QVWDQFHV DW WKH 9LUWXDO 5RXWHU /HYHO

([DPSOH 6WDUWLQJ DQ 263) ,QVWDQFH

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

%DVLF 263) &RQILJXUDWLRQ 7DVNV

5HPRYLQJ DQ 263) 9LUWXDO 5RXWLQJ ,QVWDQFH

([DPSOH 'LVDEOLQJ 263)

([DPSOHV 9ROXPH  '\QDPLF 5RXWLQJ

&KDSWHU  263) 7DVN 5HIHUHQFH

6FUHHQ26 31 5HY )

%DVLF 263) &RQILJXUDWLRQ 7DVNV

1HW6FUHHQ 'RFXPHQWDWLRQ L[

&KDSWHU 263) 7DVN 5HIHUHQFH

263) ,QWHUIDFH &RQILJXUDWLRQ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

263) ,QIRUPDWLRQ

263) 9LUWXDO /LQN &RQILJXUDWLRQ

2WKHU 263) &RQILJXUDWLRQ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU %*3 7DVN 5HIHUHQFH

$GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV

%DVLF %*3 &RQILJXUDWLRQ 7DVNV

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOH 2EMHFWV ! $GGUHVVHV ! /LVW ! 1HZ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH 6WDUWLQJ DQ 263) ,QVWDQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH 'LVDEOLQJ 263)

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH &UHDWH DQ 263) $UHD

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH $VVLJQLQJ DQ ,QWHUIDFH WR DQ 263) $UHD

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH 5HGLVWULEXWLQJ D %*3 5RXWH LQWR 263)

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH 'LVSOD\LQJ 263) ,QWHUIDFH ,QIRUPDWLRQ

&KDSWHU 263) 7DVN 5HIHUHQFH

6HWWLQJ D &OHDU7H[W 3DVVZRUG RQ DQ ,QWHUIDFH

([DPSOH &RQILJXULQJ WKH &OHDU7H[W 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

6HWWLQJ DQ 0' 3DVVZRUG RQ DQ ,QWHUIDFH

([DPSOH &RQILJXULQJ WKH 0' 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH &RQILJXULQJ WKH &RVW IRU DQ 263) ,QWHUIDFH

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH &RQILJXULQJ WKH 'HDG ,QWHUYDO

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH &RQILJXULQJ WKH +HOOR ,QWHUYDO

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH

([DPSOH &RQILJXULQJ D 1HLJKERU /LVW

([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ

&KDSWHU 263) 7DVN 5HIHUHQFH